10313 matches found
Ozette Plugins - Cross-Site Request Forgery
An attacker can update, create, and remove the site's mobile redirects via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. id: CVE-2023-23897 info: name: Ozette Plugins - Cross-Site Request Forgery author: popcorn94 severity: medi...
CVE-2026-12740 Plack::Middleware::OAuth versions through 0.10 for Perl do not support the OAuth 2.0 state parameter
Plack::Middleware::OAuth versions through 0.10 for Perl do not support the OAuth 2.0 state parameter. RequestTokenV2 builds the provider authorization redirect without issuing a state value, and AccessTokenV2 exchanges the callback code and registers the resulting token into the session...
CVE-2026-58518
The CVE-2026-58518 entry describes a CSRF vulnerability in the MediaWiki RedirectManager Extension prior to version 1.3.3. The affected component is the RedirectManager Extension for MediaWiki; the documented impact is Cross-Site Request Forgery, but no exploitation details, specific vulnerable f...
CVE-2026-57637 WordPress Abandoned Cart Lite for WooCommerce plugin <= 6.8.0 - Cross Site Request Forgery (CSRF) vulnerability
Unauthenticated Cross Site Request Forgery CSRF in Abandoned Cart Lite for WooCommerce = 6.8.0 versions...
CVE-2026-57295
A cross-site request forgery CSRF vulnerability in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a81c3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins...
CVE-2026-57290
A cross-site request forgery CSRF vulnerability in Jenkins Priority Sorter Plugin 936.v2c01c6b84449 and earlier allows attackers to overwrite the global job priority configuration...
EUVD-2026-38669
The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel blcapmainpage and on the Hall of Shame and Log subpages, which accept a 'blcapaction' / 'action'...
CVE-2026-10552
The CVE-2026-10552 entry concerns the WordPress plugin Blue Captcha (versions up to 2.0.1). It documents a Cross-Site Request Forgery (CSRF) flaw caused by missing or incorrect nonce validation on the main admin page (blcap_main_page) and on Hall of Shame and Log subpages. These pages accept a bl...
EUVD-2026-38665
The MotorDesk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the motordeskadminhome function. This makes it possible for unauthenticated attackers to update the plugin's...
CVE-2026-9721 Book a Room Event Calendar <= 1.9 - Cross-Site Request Forgery to Settings Update
The Book a Room Event Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the settingsform/updatesettings functionality. The plugin's options page handler dispatches on the...
CVE-2026-9721
CVE-2026-9721 affects the Book a Room Event Calendar plugin for WordPress (versions up to 1.9). The vulnerability is a Cross-Site Request Forgery due to missing nonce validation on the settings_form()/update_settings() flow. The plugin’s settings page accepts POST actions and persists configurati...
PT-2026-51678
Name of the Vulnerable Software and Affected Versions MP Customize Login Page versions prior to 1.1 Description The MP Customize Login Page plugin for WordPress is subject to Cross-Site Request Forgery CSRF, a flaw where an attacker tricks a logged-in user into performing unwanted actions. The...
CSRF vulnerability and missing permission check in zdevops
zdevops 1.1.3.50.ve350c9b450b1 and earlier does not perform a permission check in an HTTP endpoint implementing a connection test. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,...
CSRF vulnerability and missing permission check in contrast-continuous-application-security
contrast-continuous-application-security 3.11 and earlier does not perform a permission check in an HTTP endpoint that tests the connection to a Contrast TeamServer. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, AP...
WordPress Osiris Signature Banner plugin <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability
Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by Muhammad Nur Ibnu Hubab - Pondok Teknologi in WordPress Plugin Osiris Signature Banner versions = 0.5...
BIT-APISIX-2026-49871 Apache APISIX: cas-auth login CSRF / session injection issue
Cross-Site Request Forgery CSRF vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim...
CVE-2026-53663 React Router: `handleDocumentRequest` CSRF check covers `POST` only; PUT/PATCH/DELETE bypass
React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections CORS preflight,...
EUVD-2026-38214
The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices...
CVE-2026-7859
The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices...
EUVD-2026-38025
Cross-Site Request Forgery CSRF vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim...